Operations Security

1
Operations Security

2
Introduction

• Topic Operations Security
• Approach - General security principles
• The Problem
• The Control

3
General Security Principles

• Accountability
• Authorization
• Logging
• Separation of duties
• Least privilege
• Risk reduction
• Layered defense
• Redundancy

4
Critical Operational Controls

• Resource protection
• Privileged-entity control
• Hardware control

5
The Problem

• Powerful system utilities
• Powerful system commands
• Superzapping - system utility or application that
  bypasses all access controls and audit/logging
  functions to make updates to code or data
• Direct control over hardware and software
• Direct control over all files
• Direct control over printers and output queues
• Powerful Input/Output commands
• Direct access to servers
• Initial program load from console

6
The Problem

• Control over job schedule and execution
• Control over all storage media
• Bypass label processing
• Re-labeling resources
• Resetting date/time, passwords
• Control of access ports/lines
• Erroneous transactions (fraud)
• Altering proper transactions
• Adding improper transactions
• Denial of service/Delays in operation
• Personal use, Disclosure
• Audit trail/log corruption/modification

7
Protected Resources

• Password files
• Application program libraries
• Source code
• Vendor software
• Operating System
• Libraries
• Utilities
• Directories
• Address Tables
• Proprietary packages
• Communications HW/SW
• Main storage
• Disk tape storage

8
Protected Resources (2)

• Processing equipment
• Stand-alone computers
• Sensitive/Critical data
• Files
• Programs
• System utilities
• System logs/audit trails
• Violation reports
• Backup files
• Sensitive forms
• Printouts

9
The Control

• Accountability -
• Personnel reviews - Background checks
• Password management
• Personal
• System
• Maintenance
• Trap door - system or application password
  included for ease of vendor maintenance

10
The Control

• Accountability -
• Logging of all activities
• Protected/duplicated log

11
The Control

• Accountability -
• Problem reporting and change procedures
• Reduce failures
• Prevent recurrence
• Reduce impact
• Types - Performance/availability
• Hardware/software
• Environment
• Procedures/Operations
• Network
• Safety/security

12
The Control

• Accountability -
• Problem reporting and change procedures
• Violation analysis
• Repetitive mistakes
• Exceeding authority
• Unrestricted access
• Patterns - hackers, disgruntled employees
• Clipping level - baseline violation count to
  establish normal violation levels

13
The Control

• Least Privilege
• Granular access control over system commands
• Individual access permissions
• Hardware/Software elements procedures to enable
  authorized access and prevent unauthorized access
• Periodic review of access needed/granted

14
The Control

• Separation of Duties - Operations
• All changes require approval
• Operational staff should not code or approve
  changes
• Operational staff responsible for
• Installing system software
• Start up/Shut down
• Backup/recovery
• Mounting disks/tapes
• Handling hardware
• Adding/removing users (?)
• Operational staff should not perform security
  duties
• Security administration
• Application administration
• Network administration

15
The Control

• Responsibilities in Operations should be divided
• Help desk
• Job rotation

16
The ProblemSeparation of Duties - Security

• Operations activities
• Adding/removing users (?) DAC
• Setting clearances
• Setting passwords
• Setting other security characteristics
• Changing profiles
• Setting file sensitivity labels
• Setting security characteristics of devices,
  communications channels
• Reviewing audit data

17
The Control

• Layered Defense
• Emergency procedures requiring approval

18
The Control

• Read vs Read/Write access
• Training - Equipment/system
• Documentation
• Procedures

19
The Problem

• Physical access to the computer room and devices
  there
• IS programmers
• Cleaning/maintenance
• Vendor support
• Contract/Temp staff
• Memory content modification
• Microcode changes
• Device shutdown
• Shoulder surfing over Operators shoulder
• Physical access to printouts - rerouting
• Access to print queues
• Access to printers

20
The Control

• Authentication Least Privilege
• Authorization for access to the facility
• Closed shop - physical access controls limiting
  access to authorized personnel
• Operations security - controls over resources -
  HW, media operators with access
• Operations terminals
• Servers/routers/modems/circuit rooms
• Sniffer - device that attaches to the network and
  captures network traffic
• Magnetic media

21
The Control

• Authentication Least Privilege
• Enforced control of access to the facility
• Security perimeter - boundary where security
  controls protect assets
• System high security - system and all peripherals
  are protected at level of highest security
  classification of any information housed by the
  system
• Tempest - reception of electromagnetic emanations
  which can be analyzed to disclose sensitive or
  protected information

22
The Control

• Physical oversight of operator console
• Supervision of personnel - Realtime and
  Non-realtime
• Operating logs
• Inventory
• Change control procedures
• Incident reporting
• System/audit logs
• Audits/security reviews
• Job rotation

23
The Control

• Separation of Duties Layered Defense
• Protection of printouts
• Heading/Trailing banners with recipient name and
  location
• Protection of print queues

24
The Control

• Audit of facility and processes
• audit logs
• logons
• operating system calls/utilities
• system connectivity

25
The Problem

• Inability to recover from failures
• Legal liabilities

26
The Control

• Redundancy
• Regular backups of all software and files
• Hardware Asset Management
• Hardware configuration
• Hardware inventory
• Fault tolerant equipment - design reliability
• Configuration
• Secure disposal
• Cleaning/Sanitizing
• Overwriting
• Degaussing
• Destruction
• Environmental protection

27
The ProblemEnvironmental Contamination

• Buildup of conductive particles, contaminants
• Circuit boards, microswitches, sensors
• Spontaneous combustion
• National Fire Protection - US computer room fire
  every 10 min
• 80 unknown causes (HW)

28
Controls Environmental

• Control program
• Separate equipment
• Activity restrictions
• Brushless vacuums with micron ratings lt 1 micron
  or wall mounted vacuum outside
• Non ion-generating purifiers, conditioners,
  heaters
• Tile quality of floors
• Train maintenance staff

29
The Control

• Software Asset Management
• Operating/Backup software inventory
• Backups
• Generations
• Off-site
• Environmental control
• Controlled authorized access to backups

30
The Control

• Trusted recovery procedures
• Ensure security not breached during system crash
  and recovery
• Requires backup
• Reboot (Crash or power failure)
• Recover file systems (Missing resource)
• Restore files and databases (Inconsistent
  database)
• Check security files (System compromise)

31
Trusted System Operations

• Trusted computer base - HW/FW/SW protected by
  appropriate mechanisms at appropriate level of
  sensitivity/security to enforce security policy
• Trusted facility management - supports separate
  operator and administrator roles (B2)
• Clearly identify security admin functions
• Definition - Integrity
• formal declaration or certification of a product

32
Definitions

• Operational assurance
• Verification that a system is operating according
  to its security requirements
• Design Development reviews
• Formal modeling
• Security architecture
• Assurance
• Degree of confidence that the implemented
  security measures work as intended

33
The Control

• Contingency Management
• Tested procedures to be taken before, during and
  after a threatening incident
• Continuity of operations - maintenance of
  essential DP services after incident
• Recovery procedure - actions to restore DP
  capability after incident

34
Emergency Procedures

• Communications channel for evacuation signal
• Procedures to secure tapes, programs,
• Evacuation routes/wardens
• Transportation routes for transporting employees
• Medical assistance
• Requesting police/fire assistance
• Storing backup files off-site
• Activating backup

35
Configuration Management

• Controlling modifications to system HW/FW/
  SW/Documentation
• Ensure integrity and limiting non-approved
  changes
• Baseline controls
• policies
• standards
• procedures
• responsibilities
• requirements
• impact assessments
• software level maintenance

36
Configuration Management

• Organized and consistent plan covering
• description of physical/media controls
• electronic transfer of software
• communications software/protocols
• encryption methods/devices
• security features/limitations of software
• hardware requirements/settings/protocols
• system responsibilities/authorities
• security roles/responsibilities
• user needs (sensitivity, functionality)
• audit information and process
• risk assessment results

37
Risk Assessment/Analysis

• Includes
• Threat
• Vulnerability
• Asset
• Ease of Use principle
• A system that is easier to secure is more likely
  to be secure

38
Vulnerabilities Summary

• Improper access to system utilities
• Improper access to information
• Improper update of information
• Improper destruction of information
• Improper change to job schedule
• Improper access to printed materials
• Physical access to the computer room
• Physical access to printouts
• Access to print queues
• Denial of service
• Inability to recover from failures
• Fraud

39
Summary of Controls

• Personnel reviews - Background checks
• Password management
• Logging of all activities
• Problem reporting and change procedures
• All changes require approval
• Granular access control over system commands
• Individual access permissions

40
Summary of Controls

• Periodic review of access needed/granted
• Operational staff should not code or approve
  changes
• Operational staff should not perform security
  duties
• Operations staff should not do data entry
• Responsibilities in Operations should be divided
• Password Management
• Emergency procedures requiring approval

41
Summary of Controls

• Read vs Read/Write access
• Authorization for access to the facility
• Enforced control of access to the facility
• Physical oversight of operator console
• Protection of printouts
• Positive identification and logging of printouts
• Protection of print queues
• Regular backups of all software and files
• Off-site storage of backups
• Environmental control of backup storage
• Controlled authorized access to backups

42
The Real World

• Operations Controls
• Organizations understaffed, wear too many hats
• Separation of duties seldom complete
• A single password is used by all operators
• System commands are unrestricted on the console
• OR are granted to all operations staff
• Emergency procedures and approvals poorly defined
• Operations personnel may support system software
• OR perform security functions

43
The Real World (2)

• Operations Controls
• Most of IS and many users have access to facility
• Printouts are laid out for pickup without
  oversight
• Print queues are openly available to on-line
  users
• Only some platforms are backed up
• Backups are often stored on site
• In computer room
• OR In an office
• No restrictions are placed on access to backups

44
Media Controls

• Tapes, disks, diskettes, cards, paper, optical
• Volume labels required
• Human/machine readable
• Date created, created by
• Date to destroy/retention period
• Volume/file name, version
• Classification
• Audit trail
• Separation of responsibility - librarian
• Backup procedures

45
Final Considerations

• What system commands are available?
• To whom? With what authentication?
• How are changes made and approved?
• To system software? To applications? To access?
• How are responsibilities divided?
• How available are printouts/print queues?
• How accessible is operations facility?
• Proportionality - Cost vs Benefit

Files graciously shared by Ben Rothke. Reformatted
and edited for Slide presentation